Take the "policy" out of IT

Whether it's social media, cloud computing, or boring old desktop usage, apparently the ultimate expression of IT value is producing a multi-chapter treatise of do's and don'ts that will likely be immediately filed in the bin by those that have actual work to do at your company.

Reading the admonishments of the IT "establishment," one could be excused for thinking we were becoming politicians or diplomats. According to the pundits, each new technology and innovation requires a raft of overwrought "policy" documents. Whether it's social media, cloud computing, or boring old desktop usage, apparently the ultimate expression of IT value is producing a multichapter treatise of do's and don'ts that will likely be immediately filed in the bin by those who have actual work to do at your company.

The butt of most corporate jokes, our friends in HR, are another business unit historically mired in policy and in too many cases blind to its actual benefits to the company (or lack thereof). Think of the last time you received a series of email blasts addressed to every employee of your company, heralding the arrival of a new HR policy with the breathless zeal usually reserved for the latest teen celebrity. Was your reaction to drop everything you were doing, click the "refresh" button with bated breath until the newest HR policy appeared on the screen, and read every line with unreserved zeal?

If you are like most normal workers, you are overloaded with work, and if you expend more than eight seconds of consideration on a new HR policy, you are probably 100% more diligent than your peers. IT policies are greeted with similar distain and perhaps even less enthusiasm than HR policies simply because HR is the most visible entity in getting paychecks out the door. Rather than rushing to sign a raft of consultants to a six-figure engagement to develop the perfect IT policy, consider the following.

Treat your employees like adults until proven otherwise

Unless you have reason to suspect otherwise, you can safely treat your employees like adults. Certainly there is some percentage of them who will run an imaginary farm or mafia family during business hours, but more than likely that same demographic is sneaking a peek at their Blackberry or answering a business-related phone call in the off hours. Consider for a moment that these people are likely intelligent enough to realize that Mafia Wars is not work-related, so is a 50-page policy document from IT really going to change this behavior?

In most companies, people are regularly entrusted with million-dollar decisions and are usually able to manage these responsibilities quite capably without a policy document. Apply the same basic logic to your IT resources. Expect your people to make the right decisions without unwieldy lists of "don'ts." Just as when someone makes an inappropriate business decision or steals company resources and they are appropriately punished, educate and reprimand those who misuse IT resources without treating the rest of your staff like children.

Help staff use new tools appropriately

Rather than trying to craft a manifesto, work with interested parties to demonstrate new technologies or educate staff when a publicly available technology might be inappropriate for corporate use. Spend an afternoon with Marketing explaining the latest presence-based social media tools, and IT becomes a trusted advisor rather than the draconian "Facebook police."

Should you see a Web-based technology that poses a definite risk to information security, educate staff on the risk and provide an alternative. Perhaps you don't want employees putting sensitive internal information on a cloud-based storage site; if you can explain the risks in nontechnical terms and provide a reasonable alternative, most employees are willing to work with you and even offer suggestions on how IT might be able to meet a business need. If you block the latest service, you'll spend years playing cat and mouse as users thwart each new block you put in place.

Policies make you look silly

One of the most overlooked points is that overwrought policy documents make IT look silly. Most CIOs are clamoring for the illusive concept of "IT alignment," where IT is perceived as an integral part of the business rather than a cadre of internal order takers. The whole concept of extensive policy documents makes IT seem out of touch. If you can intelligently summarize the risks and associated benefits of new technologies to your executive peers, you can jointly develop a strategy for monitoring and mitigating the risks and promoting and leveraging the benefits. This can and should be a sidebar discussion to IT's other activities. When producing policies is the crowning achievement of an IT organization, it looks all the more compelling to outsource IT.

About Patrick Gray

Patrick Gray works for a global Fortune 500 consulting and IT services company and is the author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. He has spent ...

Full Bio

Patrick Gray works for a global Fortune 500 consulting and IT services company and is the author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. He has spent over a decade providing strategy consulting services to Fortune 500 and 1000 companies. Patrick can be reached at patrick.gray@prevoyancegroup.com, and you can follow his blog at www.itbswatch.com. All opinions are his and may not represent those of his employer.

"Consider for a moment that these people are likely intelligent enough to realize that Mafia Wars is not work-related, so is a 50-page policy document from IT really going to change this behavior?"
No, but you're going to need that policy when you try to fire that employee. Otherwise his labor relations lawyer is going to present the lack of it as justification for reinstating that employee.

You will not use our kit to share your mp3s on Limewire for instance, if you do we will sack you.
Perfectly reasonable thing to do on many levels, but employing people who wouldn't be dumb enough to do such a thing in the first place, educating people about the risks, securing and monitoring your systems so it can't happen, not cheap.
The thing is, is yet another policy IT's default method of mitigating a technology risk.
If you said to me we want to start using P2P to enable a business opportunity, how do we avoid the risks associated with the tech, a word document wwould not be my in my list of potential solutions, ever...
IT policies are not IT, even the IT nazi approach with things like you can't have your own screen saver, is a response to a business requirement, ie you can't have enough money to police a choice of screen saver.
Policies secure nothing, the ideal is always if you shouldn't do it, you shouldn't be able to do it.

In my epxeriance this comes down to one of two reasons.
1. Your policy is holding them up doing their job and they see the value of doing their job as greater than the value of following your policy. This can be anything from "do not remove the safety guard from the milling machine" to "do not use unsecured WiFi connections to connect to our CRM in the field". Consider if your policy helps or hinders the business. Don't try rule out every possible risk ever. Rule out unreasonable risk.
2. some employees are lazy skanks who will avoid work whatever you do. You need policy which is sufficient to fire these people without a lawsuit coming back on you. Before the internet these people read newspapers or phoned their buddies or just did nothing much. This isn't an IT problem. Its a management/ HR issue.
Policy should be short and in plain english so people can and will read it and understand it. Thelonger it is the less chance it has of being read.
Policy needs to be high level, explaining the principals, not specific getting into every possible example.

We have tried this approach in the past...and we end up being the kid tied to the flagpole during lunch hour.
It's a great concept, but unfortunately, we are dealing with individuals who don't mind if intellectual property is compromised. Now, if we were to let everyone come to their house and muck up things for a few days on their home units, then maybe, just maybe, they would have a better comprehension of what lengths we go through to protect them, their business property and our company.
Just my 2cents

If you wish to have an enterprise with those options, I wish you good luck ... In too many situations in my career I've seen people act quite more like kids than adults in a badly managed or not-at-all managed environment...
Worst ever, you want to treat people like adults, but their knowledge about IT is often worse than one than a 5 years old kid. What I mean, you may have 45 years old but your comprehension of a computer maybe not as good as a 5 years old kid. So, how can you make sure that those people perform the good actions when they aren't aware of half what they are doing in front of a computer if there are no restrictions in force?
And I'm not talking about malwares, viruses, and security threats (internal are always more dangerous than external, remember?), legal obligations....
I think that what is not aligning with your enterprise goals must not be authorized. I'm open to check a new thing coming out if it may help productivity but never to let everything let loose (you can call me old mentality if you wish, I don't mind...). For example, if people need internal IM or web based product for intranet, do not go for Facebook. Choose something locked for an enterprise like yammer or internal only IM like OCS from Microsoft or others...
With rules of conduct, chaos will take place, and money will fly through windows ... who can afford that in these days?

This article indicates a lack of maturity and experience. From the typographical errors to the failure to understand that policies are necessary to avoid legal issues, the article indicates that the author does not take responsibility for his work. Sorry to be so harsh. IT people tend to spend way too much time reacting and no where near enough time planning. They react with the quickest, easiest solution they can find and ignore the potential consequences of what is often an irresponsible and inadequate effort. This ends up wasting business resources in the long run. I've seen it happen on several occassions, where an employee fails to follow policy and ends up wasting money. Your point seems to be that if the employee is not going to follow the policy anyway, why have one? In the end the policy becomes the basis to eliminate such employees without risk of a wrongful termination suit.

I think the article points out well how NOT to communicate policies in general. The example of HR spam puts it in the right light. However lack of IT Policies is asking for a world of hurt for the entire company. One worm attack can cause hours or even days of diminished productivity. Let's also not forget that IT policies apply to IT. Imagine no policy for application access? User creation? Incident resoultion?

IT's only responsibility is to ENFORCE the policies outlined by management. You don't see police officers writing legislation and rendering judgement do you? Their job is to enforce written law.
If your IT department is writing AUPs or other policies, you're already starting out in a bad place. The people who have the authority to hold others accountable for infractions should be the ones writing the policy.

I think my biggest confusion and disagreement about what has been said or implied in the article and earlier responses is why a detailed policy is mutually exclusive with conducting layman education with users.
As others have pointed out their responses, policies covering the essential scope and purpose for company resources protect the organization in legal and disciplinary settings. However, the kind of proactive (or more importantly, interactive) education of the company leadership?s views on appropriate computing in the workplace is not mutually exclusive to having a complete written policy.
I argue that comments like users should keep up to date with IT guidelines without coaching is a lackadaisical position to take as an IT department. Giving a concise summary of the changes at regular intervals in smaller servings is a more palatable alternative that encourages understanding and compliance. Following up with engaging user education and demonstrations also reinforces the value of IT policies and provides a feedback mechanism for users to critique new and existing policy for the better.

Treat your employees like adults until proven otherwise: Right, in this context, you're saying to have NO written rules to state the company's expectations of using its equipment. Law suits will be the least of such a company's problems.
Help staff use new tools appropriately: Fine if you don't care who gets the company's confidential information displayed on butt-book and other logicaly inviting info stealers in spam, unsafe sites, etc.. What reason are you going to use to dismiss them; failure to do what they weren't expected to do?
This goes a lot deeper into a comany's guts than you apparently realize. Such a company is going to be full of spies, human and digital both.

Employees prove otherwise constantly. They prove otherwise every time they click on spam, phishing links and malicious attachments in email. They prove it by being careless with smartphones by not setting up a password on the device then proceeding to loose it. Where do I end? End users cannot be trusted to keep data secure regardless of what fantasy world you want to create with no policies. Regardless of how sad it is, one of the most important jobs of the IT department is to protect the user from the user and that takes policies and restrictions.

"Treat your employees like adults until proven otherwise."
This idea was quickly lost as soon as Internet access was given. The majority quickly became the offenders, not the prudent.
IT creates policy to define responsibilities, limit liability, and protect company interests. As Stephen stated above, the best defense is "our policy states".
I would love to limit policies and oversite, but the user base has proven that cannot be allowed.
HR is the same way. Many policies are not of importance to the employee, they are for the protection of the company and its assets. If you raise a concern or challenge a mandate, you will be immediately referred to HR policy X.
Laws are for the lawless, the self controlled due not require them.

Over the past 30 years, I've seen everything from an admin assistant who was on ebay for an average of 6 hours a day--- to an engineer who edited limewire music (22GB of it!) for 5 hours a day. So-- I've evolved an IT policy that is a six-page contract that each employee MUST sign. Without the legaleze, here are the salient points:
1. These are the company's computers, NOT YOURS!
2. You may use the COMPANY computers for work-related tasks and NOTHING else.
3. You may not load anything on Company computers without approval.
4. If you don't know what you can or cannot do, ASK!
5. If you violate these rules, you may be fired, AND you will be personally liable for any cost that the Company incurs because of your violation.
6. If this is not simple enough for you, you are fired NOW as you are too juvenile to work here.
Work is WORK-- it is not liesure time, and the IT equipment is no more your personal property that the chair we gave you to sit in.
The biggest problem in most firms IS NOT who should make policy-- It is finding anyone in management that has the minimal balls needed to ENFORCE simple, common-sense rules.
My recommendation? Fire someone from time to time just to let everyone know you are not willing to hand ALL jobs over to countries where they are making $3.75 an hour-- or LESS!
Draconian? No. Just our little way of making sure we have the money in the bank to back up that paycheck you get on a regular basis.

So the employee failed to follow policy and cost the firm money, so it wasn't an effective policy, or wasn't effectively enforced, or said employee wasn't effectively managed then....
After all what twit employed this person in the first place?
Were they cheap perhaps?

This article is way off base for many if not most organizations in my estimation. I work as a government contractor supporting the DoD. Can I even imagine not having IT policies in this environment? Of course, in this case, national security is often at stake!

...as the phrases used and general stance of the article relies on the fallacy that humans are generally "good" and left to themselves will find the best options and opportunities.
However, as most here have given witness to, mankind defaults to self-interest and dismissal of authority. "I will do as I please." This same ideal is tempered in a public setting to maintain social norms, but without policy (i.e. rules), only self-interest is served.
Now these policies and rules can be both external and internal. Some things we are forced to do, some we internalize and adhere to without external pressure.
So are we truly discussing the effectiveness and need of policy or the depravity of man?

The author must have never worked for a company that was the subject of a sexual harassment lawsuit because one of the users was viewing "Adult Content" withing earshot/view of other employees.
It's been my experience that policies are in place more for legal-backing and to set expectations from employees, not to be "Big Brother" or "The Facebook Police".
Speaking of Facebook, my comapny blocks it because of security and privacy reasons. People are going to find ways to waste time and "Take 5" regardless of the sites we do and don't allow.
Frankly speaking, most of the articles Patrick writes for this site just show how out of touch he really is with those who work in IT. It seems his view of IT professionals is one of the classic unkempt, socially-inept nerd who has a superiority complex.

Although I'm not sure I'm that happy with the role of IT as a police force either...
If management want to enforce policy we will provide the tools and facilities to allow them to do so.
IT should advise on these kind of policies but they need to be owned and enforced by the business leadership.

I rewrote our policy. The previous version was 28 pages of "thou shalt not" comandments and vieled threats. It was awful. I wouldn't read it...
I have rewritten it as a 4 page document which outlines the various risks which the company wishes to mitigate itself against. HR and Senior Management still wanted to add stuff which detracts from its beautiful simplicity but basically it is very high level. Why get into "Facebook" or "orkut" or whatever. Just say "IT systems are provided for business use and excessive personal use may result in disciplinary action." This covers pretty much all eventualities. "use of IT systems fot access materials which are inappropriate for the office environment may lead to..."
Our last policy had whole lists of types of websites you can't go to. Why bother? People know what is and isn't OK.

Sorry Pat, but if you are unaware of legal matters covered by IT policies than you should really not list "Executive IS/IT Management (CIO, CTO)" in your profile.
Surely, the context in which the original post was written is fine from the perspective of helpdesk staff (if it is an eye opener for you, than I am really wondering about your position description now).
That said,
1.) The real purpose of IT policy is to maintain work ethics. That is, most of the IT staff practicing ethical approach (possibly) do not need one (they might use it though to get informed on how their employer thinks about certain things). You need one for those who do not practice appropriate work ethics. Not having one, can cost you a lot of money (especially in Holland where you list that you come from). I am not even going to start on security policies, it could be another eye opener for you, I suspect.
2.) Of course; IT policies that have been written and maintained by idiots are useless (unfortunately most of them are). A proper policy should not hinder anyone from performing their work properly
3.) "A policy is typically described as a principle or rule to guide decisions and achieve rational outcome(s). The term is not normally used to denote what is actually done, this is normally referred to as either procedure or protocol. Whereas a policy will contain the 'what' and the 'why', procedures or protocols contain the 'what', the 'how', the 'where', and the 'when'" - under above definition, could you tell me again what is wrong with a properly written policy?
Judging by your posts and real life (I have run several big IT projects last couple of years with budgets of 4M Euro+) - it is shocking to see and experience how quickly the quality of IT staff is deteriorating in the industry. Over a few years, I suspect it will be really hard to find and employ people that truly know what they are talking about, I am having difficulties doing so already.

I have seen both sides of that coin, one as a end user, and the other as an enforcer of company policy.
My user experience was first encountered shortly after I started with my current employer. For whatever reason, employees were NOT allowed to change the wallpaper on our desktops. Now, I am a fan of a Alicia Keys; and, unaware of that stupid policy, put a quite flattering photo of her (you can find it here: http://www.thewallpapers.org/download/20708/alicia-keys-030-wallpaper/1600x1200) as my desktop.
God, did the s--- hit that fan. I had it out with the brainless wonder (aka `damagement`) in HR who proposed that rule. As a result of me challenging that policy, employees were allowed to change wallpaper as long as it was NOT objectionable (like swimsuit photos). What it took was the exercise of common sense, something absolutely missing in a `zero tolerance` environment (of `damagement`).
But, as an IT enforcer, there are times and places for a `zero-tolerance` policy. IT had determined that someone was using the company internet connection to make files available to people who `knew where to knock`. The type of files involved could have invited a visit from `rights monitoring` organizations. It hurt morale when one of our department got fired for doing that; but, the company could have taken a serious hit financially if that behavior was allowed to continue. Sometimes, you have no choice.
Policies can not always be a `one size fits all` kind of situation.

back before win95 arrived on the scene,
a PC was a device that had to be learned like learning to drive
you had to at least learn basic skills like file management, and the basics of how the guts worked etc. before you went out and bought one
the way it is now, as of the advent of win95,
the whole focus has been shifted to:
[b]A PC is a type of appliance in the same category as a toaster:
- no education required
- go to the store and buy one
- take it home plug it in and start using it[/b]
I've been around long enough that, I don't get hosed by attachments, spam, badsites.OMG, phishing scams etc.
and even bad disks don't hurt much,
other than the time wasted in replacing and copying the files back from the other disk in the pair (all my disks are paired, with the exception of the C:\ partition which is backed up to image)
I also configure: GPEdit & RegEdit etc my systems to the point of,
the average end user would have trouble getting it to do anything for them
I lock down IE so that it's useless for most sites
ie. I set every "Zone" to High Security settings tweak it, and then disable it further in the Advanced Tab
I have never once seen an AV popup alert from the system tray AV icon in the last 9 years while using win2K & XP
(with the exception of the EICAR test file and false positives on older tools like LeakTest from GRC)
and, today with AV installed, people are still getting hosed even on win7
I have been given many older systems of various vintages and never once did I receive a clean win9x & up system,
the only clean system I was given was an old 80386 "DOS only" box that was never connected to anything but power
but as long as the mantra from Redmond is:
Go buy it and use it, without first getting any basic PC, security, web safty etc. education
the problem of end users causing problems will continue on indefinitely!

Treat your employees like adults until proven otherwise: That's a good mantra for mgmnt and has nothing to do with "policy". Without policy, thos who do NOT follow the rules need something in writing to alert them tothe dos and don'ts of using the company's equipment.

I was responsible for generating and managing IT policies and procedures at one point in my career and like you I too fantasized daily about starting a big fire in the back parking lot and feeding it with tome after tome of policies and procedures manuals until they were reduced to the useless pile of ash that I viewed them as. That was until my most senior and experienced systems programmer decided to abuse his super-user level of access to the envornment and, when his services were terminated and he sued the comapny, I ended up in the Industrial Relations court as the star witness.
I was never so happy to be able to rely on the volumes of policies that we had produced which clearly expressed the company's stand on the actions he had taken and which as a senior officer he had signed off on and agreed to adhere to in the execution of his duties - obviously without reading them before signing. After the initial assertion that the systems programmer was not aware that what he had done was prohibited, the first request made by the judge was for the bank to provide proof in its policies and procedures that the relevant information had been documented and circulated to staff. Without our beautiful policies and procedures and our well kept circulation records the bank would have lost and would have paid a couple million dollars in compensation and possibly have to reinstate someone who could no longer be trusted into a highly sensitive job.
There may be some industries that can play fast and loose with policies and procedures and leave things up to the inherent integrity of people but the financial industry and possibly some others cannot afford to do that because the stakes are simply too high.

I absolutely agree with you. There has to be a written explanation of the do's and don'ts of working for any particular equipment of any company lest the employees know nothing of what's expected of them.
On top of that, many have NO idea of what the "policies" prevent and are seen s simply "rules" without reason. So TEACHING is a necessary evil in those areas; so is testing if they're expected to be responsible for what they say/do on the 'net. Many aren't aware of how easy it is to give out personal/company information. How are the supposed to know?
Copy each and every relevant "policy" into their job descrips? For a 500 employee company that's 500 copies of the same rules to each person. Ignorance of the "law" IS acceptable when there is NO LAW stated to break. But when reading the poliicies and not keeping track of updates is THEIR given responsibility and mentioned in their job description or somewehere related to them, THEN ignorance is no excuse. Realiism and reality will bite everyone on the ass; so protect yourself, write it down, and require reading it monthly say, or whenever a policy is announced as changed.
I cannot imagine the non-thinking abilities of one who would say that there should be no protection for the company or its employees writen in easly locatable, readable locations. THEN you have a basis for punishment, even dismissal if necessary, where on the other hand, you'll likely only open yourself to a lot of law suits including OSHA, 9xxxx incorporations, and the list goes on.
To argue against policy making is to argue against your own company, department, job entitlement and more.

We all know that the largest and most expensive violators of policy are more usually described as managers. If one of them breaks one, they must become a very messy public example.
People will work and adhere to rules, but they have to be across the board, no exceptions for the MD's nephew, the current blue eyed boy, the bint you were in the office cupboard with last week. Even yourself, for instance is asking one of your techs to fix your son's computer on work time an abuse of company resources?
Managers are employed as well.

7. From the moment you enter the company, every second spent belongs to the company. If you, so much as spend one single solitary second on anything other than company business, you will be terminated with extreme prejudice.

But sometimes they don't, or they don't care.
I've seen logs from Websense where the same user repeatedly tried to access the same blocked web site, despite the fact that each access told him/her that the site was blocked by agnecy policy (which was actually pretty loose).

You say: "Judging by your posts and real life (I have run several big IT projects last couple of years with budgets of 4M Euro+) - it is shocking to see and experience how quickly the quality of IT staff is deteriorating in the industry."
I agree. I am amazed that there are IT people who claim to be college graduates and yet cannot write a simple sentence without grammatical and spelling errors.

We enforce a solid blue background with company logo centered on the desktop. Management wants a uniform and professional look to our desktops throughout the organization and I agree with them. In the customer areas of our facilities, customers will at times see the background. We as a company want to portray a professional image at all times to our customers. Your background being your favorite sports team, comic, celebrity or whatever does not do that.

The decline in the cost of systems is what allows consumers to have a computer at home. If a laptop computer still cost the 2011 equivalent of 1990's $4000, it wouldn't matter what the OS looked like. People didn't mind spending $150 to learn how to use a $4000 device; there's no point in spending $150 to learn how to use a $500 one, regardless of OS.

If you said "Apple" then I would agree with your post to a decent degree. My Sister in law was sold a MacBook and the guy in the shop told her not to bother with any firewall, AV, etc. because "only Windows users are at risk on the internet". Whereas every Windows version in recent memory has built in firewall and increasing levels of ground level security. In fact this is what peeved most users about the introduction of Vista was UAC and other stuff brought in for security reasons. Users don't like security. They don't like remembering passwords. Never have and never will.

In today's business the stakes are always high. All business should take it seriously. The financial sector is a brilliant example but all industries must protect themselves.
Could you imagine an employee within a Cloud Service Provider having access to the data of possibly thousands of businesses? Such systems are open to abuse - policies are there to enforce and protect the business, and as expected, any client or partner. Even a small business could find an employee is using their systems for personal gain (quietly sub leasing resources in their own name etc)
With the ever increasing loop-hole generation, the documents are only going to grow in size - a technicality could cost a business ??1000, or ??1million. Based on size, either is an unaffordable loss.
Long live policy and process - It's been a part of my working life since my first professional job in my early teens and will remain so until I retire. I create, I enforce and benefit from it daily.
People aren't happy with the size, but essentially only a few need to know them to the letter.
You can still trust your employees and provide any required level of freedom you desire, however you must still protect yourself as a business - which you will always remain, long after any employee leaves.

Your original six points were worded in such a way that his seventh point wouldn't have seemed out of place in your post.
Standards are good as long as everybody is held to those standards, including management. The problem is everybody in the company usually knows when a manager violates policy...except the manager's management. (That's the appearance, as the manager continues to violate policy and his manager continues to do nothing about it.) In the meantime, non-management employees are disciplined and fired for violating the same policies. In my experience, this corporate hypocrisy does more to destroy a company than any other workplace issue.

Every second? Don't be silly! We're running companies here-- not the work Camp in "Cool Hand Luke"! But-- employees do need to "Get their minds right". (Google 'Cool Hand Luke' if you have one of those wasted seconds).
Getting your mind right is the process of learning how to use good judgment. AND-- for the past 30 years, we've been "educating" our kids against JUDGING ANYTHING! This is a PC reaction to the IMPROPER and FLAWED judgments made by bigots, sexists, and hedonistic idiots with no self control-- who did not want to be "judged" for showing up at work hung over or stoned!
Management is all about judgment and discretion. It is difficult. That's (theoretically) why managers are supposed to be getting the "big bucks". But, sometime back in the '70's, we saw that 'judgments' ended up with somebody "feeling bad" 'cause they were judged to be less competent than their peers-- or, even worse, they were found to be doing (dare I say it?) SOMETHING WRONG! This made the person being judged "feel badly". Then, we were convinced that self esteem was the most important thing in life-- even if you were a bleeding, lazy idiot! WE WERE CONVINCED THAT WE ARE ALL SO SPINELESS THAT WE COULDN'T TAKE THE PROCESS OF CRITICISM THAT WOULD LET US LEARN HOW TO BE BETTER AT-- WHATEVER!
The Solution? Simple. No more judging people. No matter what.
The alternative? POLICIES! FORMS! RULES! PAPERWORK!
Examples? Zero tolerance rules in schools. Little Johnny can't take his prescription meds to school to be administered by the school nurse. Why? Zero drug tolerance. So, Johnny stays home. Why? 'Cause the school administrators are so "judgement averse" that they would rather "cover their butts" with the Zero Tolerance Policy instead of analyzing the individual situation (with their brains--which have by now atrophied!).
A bigger example? In the 1870's we invented the Civil Service system to eliminate the "abuse of discretion" in hiring (abuses like nepotism, cronie-ism, etc.). The result? a paper system so massive that it has eliminated ANY discretion in hiring and firing of gov't. employees! Decisions are NEVER on the heads of the managers-- it's always a system or policy thing! A guy shows up with a bomb in his underwear, and no one gets fired-- instead, we're told it was a "system problem."
What's wrong with this? THE WORLD, AND THE WORKPLACE IS WAY TOO COMPLICATED FOR A PAPER SET OF RULES TO COVER EVERYTHING! THE POLICIES AND PAPERWORK BECOME A CRUTCH FOR MANAGERS TO ABDICATE THEIR DUTY TO USE GOOD JUDGMENT! THIS IS SEEN BY EMPLOYEES--AND STUDENTS. THEY LEARN THAT ANYTHING GOES IF IT IS NOT IN THE POLICY. AND, EVERYTHING CANNOT BE IN THE POLICY.
The PC anti-judgment, anti-discretion attitude is why we have IT abuse in the first place. We need managers who set good examples by constantly pointing out good AND BAD behavior.
Every second? Of course not. We need employees who are human enough to congratulate their fellow workers on big life events-- to sympathize with them in their tragedies-- to discuss why the Steelers won, or why the Browns lost (short discussion there!).
We DON'T need somebody downloading 12,000 songs for their Ipod-- or forwarding dirty jokes to their cousin in emails. Nor do we need Elf Bowling, Holiday screensavers with spyware, or Facebook Virus Scams.
No, you should NOT be fired if you Google the 'Cool Hand Luke' reference above. Hey, you might use it in your next presentation speech! BUT--if you spend half of the morning on IMDB cause you want to research every Paul Newman movie-- That's another matter! THAT'S WHERE MANAGERIAL JUDGMENT COMES IN! IF YOU DON'T KNOW THE DIFFERENCE, OR, IF YOU DON'T HAVE THE YA-YA'S TO MAKE THE ARGUMENT TO THE HR DEPARTMENT-- THEN, IN MY JUDGMENT, YOU ARE NOT A MANAGER! AND, FOR GOODNESS SAKE, PLEASE DON'T EXPECT SOMEBODY IN THE IT DEPT. TO WRITE YOU A POLICY THAT YOU CAN HANG YOUR HAT ON IN EVERY SIMILAR CASE! ALSO, IF YOU ARE THAT JUDGMENT AVERSE, YOU SHOULD EXPECT YOUR COMPANY TO PUT YOU BACK INTO THE JOB MARKET WHEN A FIRM WITH REAL MANAGERS ROLLS OVER YOUR COMPANY!
Remember a year ago when Wall Street nearly caused the apocalypse when they said it wasn't their fault 'cause they had paperwork from other analysts who said sub-primes were really OK? They did that INSTEAD of using GOOD JUDGMENT!
SO-- Write a policy. Make it general enough to cover the interests of the company, to protect it legally, to ensure security. AND make it clear that the "micro" and situation-specific details are THE RESPONSIBILITY OF MANAGERS IN THEIR OWN JUDGMENT AND DISCRETION. If your managers have no capacity for judgment and discretion, fire THEM!

My only argument is that Adults cannot follow rules that do not exist. What may seem to be common sense to I.T. may not be common for the rest of the company. I really hate developing policies that cover possible abuses, but it is a necessary evil.

...please keep in mind that not all the people here are native English speakers, or use English as primary language at their job (myself included).
It is the content that is worrying me, such as extremely poor argumentation, total absence of fact; and/ or obvious lack of knowledge or experience -- more than grammatical or spelling errors.

on a blue background would say to me the lazy f'kers aren't working....
It's a sad loser control freak policy. Okay you don't want pictures of naked women all over them, but you deal with that issue as it arises. It's way better than telling your people, individuality is undesirable...

the way the OS looks is not the issue
the main thrust of "The MS" marketing strategy since win95 has been
"to put a windows PC in every home"
and with that marketing strategy comes
more sales = lower costs = more sales =
every normal person, every genius and every idiot owns at least one

We use Windows 7 and Server 2008R2 so all this talk of ancient history is fun but irrelivant.
Lets face it my local Ford dealer doesn't offer driving lessons. Don't buy stuff you can't operate. Simple.
"Ford never told me I couldn't drink a bottle of Jack D before driving, boo hoo."

with Apple it was the same story
in the beginning you had to have a clue how to operate the thing
the first Apple I used, IIe had a tape drive and you had to type Load program name at the prompt and even when we got the 5.25" floppy you still had to load programs that way
and now they're just as guilty of the
[b]a PC / Mac is as easy as a Toaster[/b]
mentality
so the problem with both is neither are as concerned about you the end user learning how to properly use the full feature set of the OS including the underlying guts, security, self-directed file management etc. as they are about padding their wallets with annual millions of units sold verses the annual few thousand units sold in the earlier years
specifically the sales of new PC's & OS discs jumped up significantly after win95 because of the PC in every home [b]Toaster[/b] type marketing
I only ever met 5 people who had win3.1x on a PC @ home in the 90's
but nearly everyone I meet now has had some level of win9x & up usage
back then grandma & grandpa weren't interested in DOS & win3.1x because it required "Learning" something about how to use it
now you go to the store and they throw one at you and say: "here ya go, ..."
(now go get infected and bring it back for service)
the shops around here in the win3.1x days offered a day or two of 1 hour simple instruction on how the system worked and how to use it
including installing DOS & win3.1x on yer new system because only a very small amount of systems were OS pre-installed,
until win95 came along
now, it's here ya go ... we've got yer money now get lost!